Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Already using Google+? Find us on Google+ for the latest security news.
Together with the much-vaunted launch of the iPhone 5 last week came Apple's public release of its latest mobile operating system upgrade, iOS 6.
Not quite as widely-hyped as iOS6 was another system update that Apple released at the same time: OS X 10.8.2, the second major update to the Mountain Lion product.
With a couple of working days plus a weekend under its belt, OS X Mountain Lion 10.8.2 - and its sibling upgrades, Lion's 10.7.5 and Snow Leopard's Security Update 2012-004 - don't seem to have caused early adopters any major problems.
In short, it looks like a case of "no known vices."
And that raises the question, "Should I stay or should I go?"
I'd suggest, "Go!"
These latest OS X upgrades include 27 separately-documented fixes (not all of them apply to all OS X versions); overall, 95 different CVEs are dispatched, with 12 of the vulnerabilities annotated with the dreaded words "may lead to arbitrary code execution".
Here they are, coalesced into a single table:
Component OS Vulnerability CVEs fixed* The initials S, L and M denote that the vulnerability affects Snow Leopard, Lion and Mountain Lion respectively.
* DoS stands for Denial of Service.
* RCE stands for Remote Code Execution.
As often happens with simultaneous upgrades to three different core versions of OS X, there isn't a one-size-fits-all download you can apply.
Mountain Lion users move to 10.8.2, which includes an update from Safari 6.0 to 6.0.1.
The Safari update is pretty important, as it fixes data leakage vulnerabilities in the browser front-end, as well as potential remote code execution holes in WebKit, OS X's core HTML rendering technology.
Lion users also get a new point release, going to 10.7.5, but don't get Safari 6.0.1 bundled in with it. That's a separate update, predictably called Safari 6.0.1.
On Snow Leopard, the security fixes don't change the OS version. You need Security Update 2012-004 and, like Lion users, the separate package for Safari 6.0.1.
Apple also published an iPhoto update at the same time: if you're on Mountain Lion, as I am, you'll find you have to go to 10.8.2 before you can get the "performance and stability improvements" promised by upgrading iPhoto.
By the way, the new version of OS X Mountain Lion was a 366MByte download; iPhoto on its own clocked in at 373MBytes.
I suspect Apple is trying to tell me something there - I just haven't worked out what it is yet.
Follow @duckblog
-
Tags: Apple, cve, DOS, Exploit, Lion, Mountain Lion, OS X, Patch, rce, Snow Leopard, update, vulnerability
